Wireless digital networks, such as networks operating under current Electrical and Electronics Engineers (IEEE) 802.11 standards, are spreading in their popularity and availability. With such popularity, however, come problems of partitioning traffic in the wireless digital networks.
A VLAN is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. Typically, VLAN memberships can be configured by a network administrator through software instead of physically relocating devices or connections. In a legacy network, users were assigned to networks based on geography and were limited by physical topologies and distances. However, VLANs can logically group networks so that the network location of users is no longer so tightly coupled to their physical location.
VLANs operate at the data link layer of the Open Systems Interconnection (OSI) model. Network administrators often configure a VLAN to map directly to an Internet Protocol (IP) network or sub-network in the network layer of the OSI model. A VLAN trunk typically refers to a network link carrying multiple VLANs, which are identified by labels (or VLAN tags) inserted into their packets. Such VLAN trunks usually run between tagged ports of VLAN-aware devices; and thus, they are often switch-to-switch or switch-to-router links rather than links to hosts. A router, which is a device functioning in the network layer, may serve as the backbone for network traffic transmitted across multiple different VLANs.
The protocol most commonly used in configuring VLANs is the IEEE 802.1Q standard. Under the IEEE 802.1Q standard, a network device performs explicit tagging—that is, the frame is tagged with VLAN information in a field. The frame header under the current IEEE 802.1Q standard contains a 4-byte tag, which includes a 2-byte tag protocol identifier (TPID) and a 2-byte tag control information (TCI). The TPID has a fixed value of 0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. Moreover, the TCI contains the following elements:                Three-bit user priority;        One-bit canonical format indicator (CFI);        Twelve-bit VLAN identifier (VID), which uniquely identifies the VLAN to which the frame belongs. The VID limits the number of VLANs on a given Ethernet network to 4,096.        
Conventionally, VLANs are used in enterprise networks to separate a network into multiple logically separated networks. For example, these networks contain devices that should be contained in separate trust domains, yet simply separated by VLANs while still being connected to the same physical switch. Nevertheless, in order to create a VLAN for each network, a network administrator has to set up and configure the VLANs on the switches and routers in the network. Moreover, the network administrator also needs to configure a sub-network address scope for each VLAN on the DHCP server. However, configuring and manage VLANs can become complicated tasks. Thus, it may not always be practical to establish VLANs in enterprise networks.
Furthermore, in order to preserve backward compatibility with legacy devices, native VLANs are used to communicate with devices that do not support VLANs. Network traffic on native VLANs cannot be easily separated. Also, because native VLANs are typically untagged on the IEEE 802.1Q trunk ports, this can lead to security vulnerabilities in the network. For example, an attacker may craft an IEEE 802.1Q double-tagged packet with an inner VLAN tag and an outer VLAN tag, which is aimed at traversing across multiple VLANs.
In some enterprise networks, network enclaves are used to separate their network to help prevent against threats in one domain from spreading to another. A network enclave is a segment of an internal network that is defined by common security policies. It is necessary when the confidentiality, integrity, or availability of a set of resources differs from those of the general computational environment. The purpose of a network enclave is to restrict internal access to critical computing devices. In more security-conscious environments, these networks of different trust levels can be physically separated from each other. Nevertheless, network enclaves or security trust domains merely separate network resource accesses but not network traffic.